classification
Title: urllib2 does not correctly handle multiple www-authenticate headers in an HTTP response
Type: Stage:
Components: Versions: Python 2.7
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: orsenthil Nosy List: Dmitry.Beransky, Sigmund.Augdal, dfischer, loewis, martin.panter, orsenthil, petri.lehtinen
Priority: normal Keywords: patch

Created on 2011-11-02 16:06 by dfischer, last changed 2015-02-10 06:39 by martin.panter.

Files
File name Uploaded Description Edit
urllib2_basicauth.patch dfischer, 2011-11-06 22:51 fixes issues with multiple www-authenticate headers
Messages (10)
msg146842 - (view) Author: David Fischer (dfischer) Date: 2011-11-02 16:06
I ran into an application that responded with two www-authenticate challenges  to an HTTP request. First, it sends a standard Basic authentication challenge and then it also returns a www-authenticate header referencing another scheme. This looks legal to me according to rfc2617.

However, the regex in AbstractBasicAuthHandler that parses the www-authenticate header only grabs one of the challenges (the last one) and therefore urllib2 will not respond to the challenge with credentials.
msg146866 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2011-11-02 18:43
> I ran into an application that responded with two www-authenticate
> challenges  to an HTTP request. First, it sends a standard Basic
> authentication challenge and then it also returns a www-authenticate
> header referencing another scheme. 

What exactly do you mean by "then"? In HTTP, there is only a single
response to a single request, so in what way does the server send
two responses to a single request?
msg146867 - (view) Author: David Fischer (dfischer) Date: 2011-11-02 18:47
Perhaps I should have chosen my words more carefully. There are two www-authenticate headers the single HTTP response.
msg146870 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2011-11-02 19:15
So what do you propose to do? RFC 2617 specifies

   The user agent MUST choose to use one of the challenges with the 
   strongest auth-scheme it understands and request credentials from the 
   user based upon that challenge.
msg146875 - (view) Author: David Fischer (dfischer) Date: 2011-11-02 20:11
I think the key words in the RFC are "strongest auth-scheme it understands". I think in an ideal world, the urllib2 opener (given its handlers) would see that it doesn't understand the second auth-scheme and then see if it understands the first one. However, the term "strongest" implies an ordering among the auth schemes.
msg146981 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2011-11-03 21:25
Would you like to provide a patch?
msg147193 - (view) Author: David Fischer (dfischer) Date: 2011-11-06 22:51
With this patch, the AbstractBasicAuthHandler (and its subclasses) performs a regex search on the amalgamated "www-authenticate" header for basic authentication. 

This fixes the case where you have an HTTP response of the form:

HTTP/1.1 401 Authorization Required
Server: HTTPd/1.0
WWW-Authenticate: Basic realm="Secure Area"
WWW-Authenticate: SomethingElse realm="Alternative"
...

In the above case, AbstractBasicAuthHandler will attempt basic auth against the "Secure Area" realm.
msg196783 - (view) Author: Sigmund Augdal (Sigmund.Augdal) Date: 2013-09-02 14:46
Can someone please apply this patch or provide a reason why it should not be applied?
msg196784 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2013-09-02 15:31
Sigmund: Sorry for the delay. I shall act on this.
msg235670 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2015-02-10 06:39
Issue 15310 appears to have a more thorough patch
History
Date User Action Args
2015-02-10 06:39:27martin.pantersetnosy: + martin.panter
messages: + msg235670
2013-09-02 15:31:51orsenthilsetmessages: + msg196784
2013-09-02 14:46:00Sigmund.Augdalsetnosy: + Sigmund.Augdal
messages: + msg196783
2011-11-06 22:51:52dfischersetfiles: + urllib2_basicauth.patch
keywords: + patch
messages: + msg147193
2011-11-03 21:25:10loewissetmessages: + msg146981
2011-11-02 20:11:58dfischersetmessages: + msg146875
2011-11-02 19:26:35petri.lehtinensetnosy: + petri.lehtinen
2011-11-02 19:15:40loewissetmessages: + msg146870
2011-11-02 18:47:50dfischersetmessages: + msg146867
2011-11-02 18:43:08loewissetnosy: + loewis

messages: + msg146866
title: urllib2 does not correctly handle multiple www-authenticate headers in an HTTP response -> urllib2 does not correctly handle multiple www-authenticate headers in an HTTP response
2011-11-02 17:16:56Dmitry.Beranskysetnosy: + Dmitry.Beransky
2011-11-02 16:20:26orsenthilsetassignee: orsenthil

nosy: + orsenthil
2011-11-02 16:06:05dfischercreate